As we all know, this is done in Web.config by changing the
value of <authentication> tag.
The default timeout for forms authentication is 30 minutes.
It indicates that 30 minutes of inactivity on the application will cause
timeout expiration and the user will be prompted to the login page. Any hit to
the site after login will reset this clock to 30 minutes again starting from
that time. If we want to override this setting then we can include this in the
above <forms> tag. See MSDN for a full list of attributes that can be
specified in this tag.
After configuring forms authentication we need to configure the
authorization part of the Web.Config.
The above setting says it will allow all the users because
the posted content should be viewed by anyone as I said in the Scenario
section. The next section will explain the configuration settings to restrict
users accessing the pages in Admin and Publisher folders.